Timed Multiparty Session Types ?

Laura Bocchi, Weizhen Yang, and Nobuko Yoshida

Imperial College London

Abstract. We propose a typing theory, based on multiparty session types, for modularverification of real-time choreographic interactions. To model real-time implementa-tions, we introduce a simple calculus with delays and a decidable static proof system.The proof system with time constraints ensures type safety and time-error freedom,namely processes respect the prescribed timing and causalities between interactions. Adecidable condition, enforceable on timed global types, guarantees global time-progressfor validated processes with delays, and gives a sound and complete characterisation ofa new class of CTAs with general topologies that enjoys global progress and liveness.

1 IntroductionCommunicating timed automata (CTAs) [14] extend the theory of timed automata [3]to enable a precise specification and verification of real-time distributed protocols. ACTA consists of a finite number of timed automata synchronising over the elapsingof time and exchanging messages over unbound channels. In spite of its simplicity,the combination of timed automata [3] and communicating automata (CAs) [8] canrepresent many different temporal aspects from a local viewpoint. On the other hand, themodel is known to be computationally hard, and it is difficult to directly link its idealisedsemantics to implementations of programming languages and distributed systems.

On a parallel line of research, multiparty session types (MPSTs) [13, 6] have beenproposed to describe communication protocols among two or more participants from aglobal viewpoint. Global types are projected to local types, against which programs canbe type-checked and verified to behave correctly without deadlocks. This framework isapplied in industry projects [19] and to the governance of large cyberinfrastructures [17]via the Scribble (a MPST-based tool chain) project [20].

From the theoretical side, in the untimed setting recent work brings CAs into chore-ographic frameworks, by seeking a correspondence with projected local types [11]. Weproceed along these lines by applying the idealised mathematical semantics of CTAs tothe design of MPSTs with clocks, clock constraints, and resets, in order to fill the gapbetween the abstract specification by CTAs and the verification of real-time programs.Surprisingly, since MPSTs inherently capture relative temporal constraints by imposingan order on the communications, they enable effective verification without limitationson topology or buffer-boundedness, unlike existing work on CTAs.

We organise our results in two parts. First we show that although time annotationsincrease the expressive power of global types, time-error freedom is guaranteed without

? We would like to thank Viviana Bono and Mariangiola Dezani-Ciancaglini, and Massimo Bartoletti forthe discussions and insightful comments on a previous version of this paper, which allowed us to improveour work.

additional time analysis of the types. In § 3 we give the semantics of timed global types(TGs) and prove soundness and completeness of the projection onto timed local types(TLs) (Theorem 3.3). In § 4 we give a simple π-calculus for programs (running as pro-cesses) with delays that can be used to synchronise the communications in a session. Acompositional proof system for the π-calculus enables a modular verification for time-error freedom (Theorem 4.4): if all programs in a system are validated, then the globalconversation will respect the prescribed timing and causalities between interactions.

In the second part we investigate the conditions for an advanced property – time-progress – ensuring that if a process deadlocks, then its untimed counter-part wouldalso deadlock (i.e., deadlock is not caused by time constraints). The fact that untimedprocesses in single sessions are deadlock-free [13] yields progress for timed processes.Time-progress is related to two delicate issues: (1) some time constraints in a TG maybe unsatisfiable and (2) there may exist some distributed implementation of the TGwhich deadlocks. We give two sufficient conditions on TGs (§5) to prevent (1) and(2) from happening: feasibility (for each partial execution allowed by a TG there is acorrect complete one) and wait-freedom (if all senders respect their time constraints,then no receiver has to wait for a message). Feasibility and wait-freedom are decidable(Proposition 5.1), and if we start from feasible and wait-free TGs, then the proof systemgiven in part one guarantees time-progress for processes (Theorem 5.4). Transparencyof properties is guaranteed not only between TGs and processes, but also between TGsand CTAs: we give a sound and complete characterisation (Theorem 5.6) yielding anew class of CTAs which enjoys progress and liveness (Theorem 5.7). Conclusions andrelated work are in § 6. For the reviewers convenience we attach an appendix with fullproofs, detailed related work, and the definitions omitted in the paper.

2 Running example: a use-case of a distributed timed protocol

The motivating scenario developed with our partner, the Ocean Observatories Initiative(OOI) [17], is directed towards deploying a network of sensors and ocean instrumentsused/controlled remotely via service agents. In many OOI use-cases, requests are aug-mented with deadlines, and services are scheduled to execute at certain time intervals.These temporal requirements can be represented by combining global protocol descrip-tions from MPSTs and time from CTAs. We show, using a Message Sequence Chart(MSC)-like notation, a protocol to calculate the average water temperature via sensorsampling. The protocol involves three participants: a master M that initiates the sam-pling, a worker/sensor W with fixed response time w, and an aggregator A for accumu-lating the data; their time constraints are expressed using clocks xM, xW, and xA, initiallyset to 0. Delays l (average latency of the network) and w (sampling time) are expressedin milliseconds. Each clock can be reset many times.

2

M

<task>

⊕

more<data>

(1)

(2)

(3)(4)

(5)

iterate

l = 400 (latency), w = 300,000 (sampling)Delays (in ms):

W A

xM = 0

<data>

more<task>

stop<data>

stop

xM := 0 l ≤ xW < 2l

xM =2l+w xW ≤ wxW := 0

xM =2l+w

xM := 0

xM := 0

xW = 2lxW := 0

xW = 2lxW := 0

3l+w ≤ xAxA := 0

3l+w ≤ xAxA := 0

(1): M sends W a message of type task and resets xM (xM := 0).After at least l and at most 2l, W receives the message.

(2): W completes the task and replies to M with the temperature(of type data) at any time satisfying xW ≤ w and resets xW. Mreceives the message at time xM = 2l +w.

(3): M immediately sends A a message of type data along witheither label more (the sampling continues for another iteration)or label stop (enough results have been aggregated).

(4): If more was selected in (3) then M sends W a new task withlabel more, resets xM and another iteration is executed.

(5): If stop was selected, M notifies W and the session ends.

We build on the synchronous semantics in [14] i.e., time elapses at the same pace for allthe parts of the system. However, note that clocks can be reset at different times, hencee.g. the values of xM, xW, and xA differ at some point.

3 Timed multiparty session typesGlobal types [6, 13] are specifications of the interactions (causalities and carried datatypes) of multiparty sessions. A global type can be automatically projected onto a setof local types describing the session from the perspective of each single participantand used for local verification of processes. We extend global and local types withconstraints on clocks, yielding timed global types (TGs) and local session types (TLs).

We use the definitions from timed automata (see [3, § 3.3], [14, § 2]): let X bea set of clocks ranging over x1, . . . ,xn and taking values in R≥0. A clock assignmentν : X 7→ R≥0 returns the time of the clocks in X . We write ν+ t for the assignmentmapping all x ∈ X to ν(x)+ t. We write ν0 for the initial assignment mapping all clocksto 0. The set Φ(X) of clock constraints over X is:

δ ::= true | x > c | x = c | ¬δ | δ1∧δ2

where c is a bound time constant taking values in Q≥0 (we derive false, <,≤,≥, ∨ inthe standard way). The set of free clocks in δ, written fn(δ), is defined inductively as:fn(true) = /0, fn(x > c) = fn(x = c) = {x}, fn(¬δ) = fn(δ), and fn(δ1∧δ2) = fn(δ1)∪fn(δ2). We write δ( #»x ) if fn(δ) = #»x and let ν |= δ denote that δ is satisfied by ν. A resetpredicate λ over X is a subset of X . When λ is /0 then no reset occurs, otherwise theassignment for each x ∈ λ is set to 0. We write [λ 7→ 0]ν for the clock assignment thatis like ν except 0 is assigned to all clocks in λ.

Participants (p,q,p1, . . .∈N) interact via point-to-point asynchronous message pass-ing. An interaction consists of a send action and a receive action, each annotated witha clock constraint and a reset predicate. The clock constraint specifies when that actioncan be executed and the reset predicate specifies which clocks must be reset.

Syntax. The syntax for sorts S, timed global types G, and timed local types T is:

S ::= bool | nat | . . . | G | (T,δ)G ::= p→ q : {li〈Si〉{Ai}.Gi}i∈I | µt.G | t | end A ::= {δO,λO,δI,λI}T ::= p⊕{li : 〈Si〉{Bi}.Ti}i∈I | p&{li : 〈Si〉{Bi}.Ti}i∈I | µt.T | t | end B ::= {δ,λ}The sorts S include base types (bool, nat, etc.), G for shared name passing (used for

3

the initiation of sessions of type G, cf. § 4), and (T,δ) for session delegation. Sort (T,δ)allows a participant involved in a session to delegate the remaining behaviour T ; upondelegation the sender will no longer participate in the delegated session and receiverwill execute the protocol described by T under any clock assignment satisfying δ. Gand T in sorts do not include free type variables.

In G, type p→ q : {li〈Si〉{Ai}.Gi}i∈I models an interaction: p chooses a branch i∈ I,where I is a finite set of indices, and sends q the branching label li along with a messageof sort Si. The session then continues as prescribed by Gi. Each branch is annotated witha time assertion Ai = {δO,λO,δI,λI}, where δO and λO are the clock constraint and resetpredicate for the output action, and δI and λI are for the input action. We will writep→ q : 〈S〉{A}.G′ for interactions with one branch. Recursive type µt.G associates atype variable t to a recursion body G; we assume that type variables are guarded in thestandard way and end occurs at least once in G (this is a common assumption e.g., [9]).We denote by P (G) the set of participants of G and write G′ ∈G when G′ appears in G.

As in [14] we assume that the sets of clocks ‘owned’ (i.e., that can be read and reset)by different participants in a TG are pair-wise disjoint, and that the clock constraint andreset predicate of an action performed by a participant are defined only over the clocksowned by that participant. The example below violates this assumption.

G1 = p→ q : 〈int〉{xp < 10,xp,xp < 20,xp}

since both the constraints of the (send) action of p and of the (receive) action of q aredefined over xp, and xp can be owned by either p or q (similarly for the reset predicates{xp}). Formally, we require that for all G there exists a partition {X(p,G)}p∈P (G) of Xsuch that p→ q : {li〈Si〉{δOi,λOi,δIi,λIi}.Gi}i∈I ∈G implies fn(δOi),λOi ⊆ X(p,G) andfn(δIi),λIi ⊆ X(q,G) for all i ∈ I.

In T , interactions are modelled from a participant’s viewpoint either as selectiontypes p⊕{li : 〈Si〉{Bi}.Ti}i∈I or branching types p&{li : 〈Si〉{Bi}.Ti}i∈I . We denotethe projection of G onto p ∈ P (G) by G ↓p; the definition is standard except each{δO,λO,δI,λI} is projected onto the sender (resp. receiver) by keeping only the outputpart {δO,λO} (resp. the input part {δI,λI}), e.g., if G = p→ q : {li〈Si〉{Bi,B′i}.Gi}i∈Ithen G ↓p= q⊕{li : 〈Si〉{Bi}.Gi ↓p}i∈I and G ↓q= p&{li : 〈Si〉{B′i}.Gi ↓q}i∈I .

Example 3.1 (Temperature calculation) We show below the global timed type G forthe protocol in § 2 and its projection G ↓M onto M. We write for empty reset predicates.G = M→ W : 〈task〉{B1

O,B1I}.µt.G′

G′ = W→ M : 〈data〉{B2O,B

2I}.

M→ A : {more〈data〉{B3O,B

3I}. M→ W : more〈task〉{B4

O,B4I}.t,

stop〈data〉{B3O,B

3I}. M→ W : stop〈〉{B4

O,B4I}.end}

G ↓M = W⊕〈task〉{B1O}.

µt. W&〈data〉{B2I}.

A⊕{more : 〈data〉{B3O}.W⊕more : 〈task〉{B4

O}.t,stop : 〈data〉{B3

O}.W⊕ stop : 〈〉{B4O}.end}

B1O = {xM = 0,xM}

B1I = {l ≤ xW < 2l, }

B2O = {xW ≤ w,xW}

B2I = {xM = 2l +w, }

B3O = {xM = 2l +w, }

B3I = {3l +w≤ xA,xA}

B4O = {xM = 2l +w,xM}

B4I = {xW = 2l,xW}

Remark 3.1 (On the importance of resets). Resets in timed global types play an impor-tant role to model the same notion of time as the one supported by CTAs, yielding amore direct comparison between types and CTAs. Resets give a concise representation

4

of several scenarios, e.g., when time constraints must be repeatedly satisfied for an un-bounded number of times. This is clear from § 2 and Example 3.1: the repetition ofthe same scenario across recursion instances (one for each sampling task) is modelledby having all participants to reset their clocks in their last action before starting a newrecursion instance (e.g., B3

I, B4O and B4

I on the second line of G′ in Example 3.1).

Semantics of timed global types. The LTS for TGs is defined over states of the form(ν,G) and labels ` ::= pq!l〈S〉 | pq?l〈S〉 | t where pq!l〈S〉 is a send action (i.e., p sendsl〈S〉 to q), pq?l〈S〉 is the dual receive action, and t ∈R≥0 is a time action modelling timepassing. We denote the set of labels by L and let subj(pq!l〈S〉) = p, subj(qp?l〈S〉) = p

and subj(t) = /0.We extend the syntax of G with p q : l〈S〉{A}.G to describe the state in which

message l〈S〉 has been sent by p but not yet received by q (as in [11, § 2]). The sep-aration of send and receive actions is used to model the asynchronous behaviour indistributed systems, as illustrated by the following example.

p→ q : 〈int〉{xp < 10, ,xq ≥ 10, }.p→ r : 〈int〉{xp ≥ 10, ,true, }pq!〈int〉−−−−−→ p q : 〈int〉{xp < 10, ,xq > 20, }.p→ r : 〈int〉{xp < 10, ,true, }pr!〈int〉−−−−−→ p q : 〈int〉{xp < 10, ,xq > 20, }.p r : 〈int〉{xp ≥ 10, ,true, }

After the first action pq!〈int〉 the TG above can reduce by one of the following actions:a send pr!〈int〉 (as illustrated), a receive of q, or a time step. By using intermediatestates, a send action and its corresponding receive action (e.g., pq!〈int〉 and pq?〈int〉)are separate, hence could be interleaved with other actions, as well as occur at dif-ferent times. This fine-grained semantics corresponds to local type semantics whereasynchrony is modelled as message exchange through channels (see Theorem 3.3).

TGs are used as a model of the correct behaviour for distributed implementations in§ 4. Therefore their semantics should only include desirable executions. We need to takespecial care in the definition of the semantics of time actions: if an action is ready to beexecuted and the associated constraint has an upper bound, then the semantics shouldprevent time steps that are too big and would make that clock constraint unsatisfiable.For instance in p→ q : 〈int〉{xp ≤ 20, ,true, } (assuming xp = 0) the LTS shouldallow, before the send action of p occurs, only time steps that preserve xp ≤ 20.

More generally, we need to ensure that time actions do not invalidate the constraintof any action that is ready to be executed, or ready action. A ready action is an actionthat has no causal relationship with other actions that occur earlier, syntactically. A TGmay have more than one ready action, as shown by the following example.

p→ q : 〈int〉{xp ≤ 20, ,true, }.k→ r : 〈int〉{xk < 10, ,xr = 10, }

The TG above has two ready actions, namely the send actions of p and of k which canhappen in any order due to asynchrony (i.e., an order cannot be enforced without extracommunications between p and k). In this case a desirable semantics should prevent theelapsing of time intervals that would invalidate either {xp ≤ 20} or {xk < 10}.

Below, function rdy(G,D) returns the set, for each ready actions in G, of elementsof the form {δi}i∈I which are the constraints of the branches of that ready action. Dis a set of participants, initially empty, used to keep track of the causal dependenciesbetween actions. We write rdy(G) for rdy(G, /0).

5

j ∈ I A j = {δO,λO,δI,λI} ν |= δO ν′ = [λO 7→ 0]ν

(ν,p→ q : {li〈Si〉{Ai}.Gi}i∈I)pq!l j〈S j〉−−−−−→ (ν′,p q : l j〈S j〉{A j}.G j)

bSELECTc

ν |= δI ν′ = [λI 7→ 0]ν

(ν,p q : l〈S〉{δO,λO,δI,λI}.G)pq?l〈S〉−−−−→ (ν′,G)

(ν,G[µt.G/t]) `−→ (ν′,G′)

(ν,µt.G)`−→ (ν′,G′)

bBRANCHc/bRECc

∀k ∈ I (ν,Gk)`−→ (ν′,G′k) p,q 6∈ sub j(`) ` 6= t

(ν,p→ q : {li〈Si〉{Ai}.Gi}i∈I)`−→ (ν′,p→ q : {li〈Si〉{Ai}.G′i}i∈I)

bASYNC1c

(ν,G)`−→ (ν′,G′) q 6∈ sub j(`)

(ν,p q : l〈S〉{A}.G)`−→ (ν′,p q : l〈S〉{A}.G′)

ν+ t |=∗ rdy(G)

(ν,G)t−→ (ν+ t,G)

bASYNC2c/bTIMEc

Fig. 1. Labelled transitions for timed global types

(1)rdy(p→ q : {li〈Si〉{Ai}.Gi}i∈I ,D)

(with Ai = {δOi,λOi,δIi,λIi})=

{{{δOi}i∈I}

⋃i∈I rdy(Gi,D∪{p,q}) if p 6∈ D⋃

i∈I rdy(Gi,D∪{p,q}) otherwise

(2) rdy(p q : l〈S〉{δO,λO,δI,λI}.G,D) =

{{{δI}}∪rdy(G,D∪{q}) if q 6∈ Drdy(G,D∪{q}) otherwise

(3) rdy(µt.G,D) = rdy(G,D) (4) rdy(t,D) = rdy(end,D) = /0

In (1) the send action of p is ready, hence the singleton including the constraints {δOi}i∈Iare added to the solution and each Gi is recursively checked. Any action in Gi involvingp or q is not ready. Adding {p,q} to D ensures that the constraints of actions thatcausally depend from the first interaction are not included in the solution. (2) is similar.

Definition 3.2 (Satisfiability of ready actions) We write ν |=∗ rdy(G) when the con-straints of all ready actions of G are satisfiable under ν or sometimes in the future.Formally, ν |=∗ rdy(G) iff ∀{{δi}i∈I} ∈ rdy(G)∃ t ≥ 0, j ∈ I. ν+ t |= δ j.

By requiring the satisfiability of some j∈ I (i.e., for some branches of a ready action) weallow each action to be executed at any time allowed by its constraints, not necessarilyat the earliest possible time. In this way, the semantics of TGs specifies the full range ofcorrect behaviours.

The transition rules for TGs are given in Figure 1. We assume the execution alwaysbegins with initial assignment ν0. Rule bSELECTc models selection as usual, except thatthe clock constraint of the selected branch j is checked against the current assignment(i.e., ν |= δO) which is updated with reset predicate λO. Rule bBRANCHc is the dual forbranching. Rules bASYNC1c and bASYNC2c model interactions that appear later (syntacti-cally), but are not causally dependent on the first interaction. Rule bTIMEc models timepassing by incrementing all clocks; the clause in the premise prevents time steps thatwould make the clock constraints of some ready action unsatisfiable. Note that bTIMEccan always be applied to (ν,end) since ν+ t |=∗ rdy(end) for all t.

Semantics for timed local types. The LTS for TLs is defined with states (ν,T ), labelsL and by the following rules:

6

(ν,q⊕{li : 〈Si〉{Bi}.Ti}i∈I)pq!l j〈S j〉−−−−−→ (ν′,Tj) ( j ∈ I B j = {δ,λ} ν |= δ ν′ = [λ 7→ 0]ν) bLSELc

(ν,q&{li : 〈Si〉{Bi}.Ti}i∈I)qp?l j〈S j〉−−−−−→ (ν′,Tj) ( j ∈ I B j = {δ,λ} ν |= δ ν′ = [λ 7→ 0]ν) bLBRAc

(ν,T [µt.T/t]) `−→ (ν′,T ′) imply (ν,µt.T ) `−→ (ν′,T ′) bLRECc(ν,T ) t−→ (ν′,T ) (ν+ t |=∗ rdy(T )) bLTIMEc

Rule bLSELc is for send actions and its dual bLBRAc for receive actions. In rule bLTIMEc fortime passing, the constraints of the ready action of T must be satisfiable after t in ν. Notethat T always has only one ready action. The definitions of rdy(T ) and ν+t |=∗ rdy(T )are the obvious extensions of the definitions we have given for TGs.

Given a set of participants {1, . . . ,n} we define configurations (T1, . . . ,Tn,#»w) where

#»w ::= {wi j}i6= j∈{1,...,n} are unidirectional, possibly empty (denoted by ε), unboundedchannels with elements of the form l〈S〉. The LTS of (T1, . . . ,Tn,

#»w) is defined as fol-lows, with ν being the overriding union (i.e., ⊕i∈{1,...,n}νi) of the clock assignments νi

of the participants. (ν,(T1, . . . ,Tn,#»w))

`−→ (ν′,(T ′1 , . . . ,T′

n ,#»w ′)) iff:

(1) ` = pq!l〈S〉 ⇒ (νp,Tp)`−→ (ν′p,T

′p)∧w′pq = wpq · l〈S〉∧ (i j 6= pq⇒ wi j = w′i j ∧Ti = T ′i )

(2) ` = pq?l〈S〉 ⇒ (νq,Tq)`−→ (ν′q,T

′q)∧ l〈S〉 ·w′pq = wpq∧ (i j 6= pq⇒ wi j = w′i j ∧Tj = T ′j )

(3) ` = t⇒∀p 6= q. (νp,Tp)`−→ (νp+ t,Tp) ∧ wpq = w′pq ∧

Tp = r&{lk : 〈Sk〉{δk,λk}.Tk}k∈I ∧wrp = lm〈S〉 ·wrp (m ∈ I) ⇒ ν+ t |=∗ {δm}with p,q, i, j ∈ {1, . . . ,n}.

We write TR(G) for the set of visible traces obtained by reducing G under the initialassignment ν0. Similarly for TR(T1, . . . ,Tn,

#»ε ). We denote trace equivalence by ≈.

Theorem 3.3 (Soundness and completeness of projection) Let G be a timed globaltype and {T1, . . . ,Tn}= {G ↓p}p∈P (G) be the set of its projections, then G≈ (T1, . . . ,Tn,

#»ε ).

4 Multiparty session processes with delaysWe model processes using a timed extension of the asynchronous session calculus [6].The syntax of the session calculus with delays is presented below.

P ::= u[n](y).P Request| u[i](y).P Accept| c[p]/ l〈e〉;P Select| c[p].{li(zi).Pi}i∈I Branching| delay(t).P Delay| if e then P else Q Conditional| P | Q Parallel| 0 Inaction| µX .P Recursion| X Variable

| (νa)P Hide Shared| (νs)P Hide Session| s : h Queue

h ::= /0 | h · (p,q,m) (queue content)m ::= l〈v〉 | (s[p],ν) (messages)c ::= s[p] | y (session names)u ::= a | z (shared names)e ::= v | ¬e | e′op e′ (expressions)v ::= c | u | true | . . . (values)

u[n](y).P sends, along u, a request to start a new session y with participants 1, . . . ,n,where it participates as 1 and continues as P. Its dual u[i](y).P engages in a new sessionas participant i. Select c[p]/ l〈e〉;P sends message l〈e〉 to participant p in session c andcontinues as P. Branching is dual. Request and accept bind y in P, and branching bindszi in Pi. We introduce a new primitive delay(t).P that executes P after waiting exactlyt units of time. Note that t is a constant (as in [5, 16]). The other processes are standard.

7

a[n](y).P1 |∏i∈{2,..,n} a[i](y).Pi −→ (νs)(∏i∈{1,..,n}Pi[s[i]/y] | s : /0) (s 6∈ fn(Pi)) bLINKcs[p][q]/ l〈e〉;P | s : h −→ P | s : h · (p,q, l〈v〉) (e ↓ v) bSELc

s[p][q].{li(zi).Pi}i∈J | s : (p,q, l j〈v〉) ·h −→ Pj[v/z j] | s : h ( j ∈ J) bBRAcdelay(t).P |∏ j∈J s j : h j −→ P |∏ j∈J s j : h j bDELAYc

P−→ P′ (not by bDELAYc) imply P | Q−→ P′ | Q bCOMcif e then P else Q−→ P (e ↓ true) if e then P else Q−→ Q (e ↓ false) bIFT/IFFcP≡ P′ P′ −→ Q′ Q≡ Q′ imply P−→ Q P−→ P′ imply (νn)P−→ (νn)P′ bSTR/HIDEc

Fig. 2. Reduction for processes

We often omit inaction 0, and the label in a singleton selection or branching, and denotewith fn(P) the set of free variables and names of P.

We define programs as processes that have not yet engaged in any session, namelythat have no queues, no session name hiding, and no free session names/variables.

Structural equivalence for processes is the least equivalence relation satisfying thestandard rules from [6] – we recall below (first row) those for queues – plus the follow-ing rules for delays:(νs)s : /0 = 0 s : h · (p,q,m) · (p′,q′,m′) ·h′ ≡ s : h · (p′,q′,m′) · (p,q,m) ·h′ if p 6= p′ or q 6= q′

delay(t + t ′).P≡ delay(t).delay(t ′).P delay(0).P≡ Pdelay(t).(νa)P≡ (νa)delay(t).P delay(t).(P | Q)≡ delay(t).P | delay(t).Q

In the first row: (νs)s : /0 = 0 removes queues of ended sessions, the second rule per-mutes causally unrelated messages. In the second row: the first rule breaks delays intosmaller intervals, and delay(0).P≡ P allows time to pass for idle processes. The rulesin the third row distribute delays in hiding and parallel processes.

The reduction rules are given in Figure 2. In bSELc we write e ↓ v when expressione evaluates to value v. Rule bDELAYc models time passing for P. By combining bDELAYcwith rule delay(t).(P | Q) ≡ delay(t).P | delay(t).Q we allow a delay to elapse si-multaneously for parallel processes. The queues in parallel with P always allow timepassing, unlike other kinds of processes (as shown in rule bCOMc which models the syn-chronous semantics of time in [14]). Rule bCOMc enables part of the system to reduce aslong as the reduction does not involve bDELAYc on P. If P reduces by bDELAYc then alsoall other parallel processes must make the same time step, i.e. the whole system mustmove by bDELAYc. The other rules are standard (n stands for s or a in bHIDEc).

Example 4.1 (Temperature calculation) Process PM is a possible implementation ofparticipant M of the protocol in Example 3.1, e.g., G ↓M. Assuming that at least one taskis needed in each session, we let task() be a local function returning the next task andmore tasks() return true when more tasks have to be submitted and false otherwise.

PM = s[M][W]/ 〈task()〉;µX .delay(2l +w). s[M][W]. (y);if more tasks()then s[M][A]/more〈y〉;s[M][W]/more〈task()〉;X else s[M][A]/ stop〈y〉;s[M][W]/ stop〈〉;end

Proof rules. We validate programs against specifications based on TLs, using judge-ments of the form Γ ` P.∆ and Γ ` e : S defined on the following environments:

Γ ::= /0 | Γ,u : S | Γ,X : ∆ ∆ ::= /0 | ∆,c : (ν,T )The type environment Γ maps shared variables/names to sorts and process variables totheir types, and the session environment ∆ holds information on the ongoing sessions,

8

bVREQc

Γ,u : G ` P.∆,y[1] : (ν0,G ↓1)dom(ν0) = {x1}

Γ,u : G ` u[n](y).P.∆bVACCc

Γ,u : G ` P.∆,y[i] : (ν0,G ↓i)dom(ν0) = {xi} i 6= 1Γ,u : G ` u[i](y).P.∆

bVBRAc∀i ∈ I ν |= δi

{Γ,zi : Si ` Pi .∆,c : ([λi 7→ 0]ν,Ti) (Si 6= (Td ,δd))

Γ ` Pi .∆,c : ([λi 7→ 0]ν,Ti),zi : (νd ,Td) νd |= δd (Si = (Td ,δd))

Γ ` c[p].{li(zi).Pi}i∈I .∆,c : (ν,p&{li : 〈Si〉{δi,λi}.Ti}i∈I)

bVSELc j ∈ I Γ ` e : S j ν |= δ j Γ ` P.∆,c : ([λ j 7→ 0]ν,Tj) (S j 6= (Td ,δd))

Γ ` c[p]/ l j〈e〉;P.∆,c : (ν,p⊕{li : 〈Si〉{δi,λi}.Ti}i∈I)

bVDELc j ∈ I Γ ` e : S j ν |= δ j νd |= δd Γ ` P.∆,c : ([λ j 7→ 0]ν,Tj) (S j = (Td ,δd))

Γ ` c[p]/ l j〈e〉;P.∆,c : (ν,p⊕{li : 〈Si〉{δi,λi}.Ti}i∈I),c′ : (νd ,Td)

bVPARc dom(∆1)∩dom(∆2) = /0 Γ ` Pi .∆i i ∈ {1,2}Γ ` P1 | P2 .∆1,∆2

bVCONDc Γ ` e : bool Γ ` Pi .∆ i ∈ {1,2}Γ ` if e then P1 else P2 .∆

bVTIMEc Γ ` P.{ci : (νi + t,Ti)}i∈IΓ ` delay(t).P.{ci : (νi,Ti)}i∈I

bVENDc∀c ∈ dom(∆) ∆(c) = (ν,end)Γ ` 0.∆

bVDEFcΓ,X : ∆ ` P.∆

Γ ` µX .P.∆bVCALLc∀c ∈ dom(∆′) ∆

′(c) = (ν,end)Γ,X : ∆ ` X .∆,∆′

Fig. 3. Proof rules for programs

e.g., ∆(s[p]) = (ν,T ) when the process being validated is acting as p in session s speci-fied by T ; ν is a ‘virtual’ clock assignment built during the validation.

Resets can generate infinite time scenarios in recursive protocols. To ensure soundtyping we introduce a condition, infinite satisfiability, that guarantees a regularity acrossdifferent instances of a recursion.

Definition 4.2 (Infinitely satisfiable) G is infinitely satisfiable if either: (1) constraintsin recursion bodies have no resets, no equalities nor upper bounds (i.e., x < c or x≤ c),or (2) all participants reset at each iteration.

In the rest of this section we assume that TGs are infinitely satisfiable. As usual (e.g., [13]),in the validation of P we check Γ ` P′ .∆ where P′ is obtained by unfolding once allrecursions µX .P′′ occurring in P. This ensures that both the first instance of a recursionand the successive ones (all similar by infinite satisfiability) satisfy the specification.

We show in Figure 3 selected proof rules for programs. Rule bVREQc for sessionrequest adds a new instance of session for participant 1 to ∆ in the premise. The newlyinstantiated session is associated with an initial assignment ν0 for the clock of partici-pant 1. Rule bVACCc for session accept is similar but initiates a new session for partici-pant i. Rule bVBRAc for branching processes checks all the branches in I. If the receivedmessage is a session (i.e., Si = (Td ,δd)) a new assignment zi : (νd ,Td) is added to ∆ inthe premise. This can be any assignment such that νd |= δd . Rule bVSELc for selectionprocesses checks that the clock constraint δ j of the selected branch j satisfies the cur-rent assignment ν, and updates, in the session environment of the premise, the clockassignment as prescribed by λ j. Rule bVDELc for delegation requires δd to be satisfiedin the assignment νd of the delegated session, which is removed from the premise. RulebVTIMEc increments the clock assignments of all sessions in ∆. Rule bVENDc validates 0if there are no more actions prescribed by ∆. Rule bVDEFc extends Γ with the assignment

9

∀i ∈ {1, ..,n} s 6∈ fn(Pi)

a[n](y).P1 |∏i∈{2,..,n} a[i](y).Pi −→ (νs)(∏i∈{1,..,n}(Pi[s[i]/y] | (s[i],ν0)) | s : /0)bLINKc

delay(t).P |∏ j∈J(s j : h j |∏k∈K j (s j[pk],νk))−→ P |∏ j∈J(s j : h j |∏k∈K j (s j[pk],νk + t)) bDELAYce ↓ v ν

′ = [λ 7→ 0]ν δ |= ν

s[p][q]/{δ,λ}l〈e〉;P | s : h | (s[p],ν)−→ P | s : h · (p,q, l〈v〉) | (s[p],ν′)bSELc

¬δ |= ν

s[p][q]/{δ,λ}l〈e〉;P | s : h | (s[p],ν)−→ error | s : h | (s[p],ν)bESELc

Fig. 4. Extended reduction for processes with errors and clocks (selected rules)

for process variable X . Rules bVPARc and bVCONDc are standard. Rule bVCALLc validates,as usual, recursive call X against Γ(X) (and possibly some terminated sessions ∆′).

Theorem 4.3 (Type preservation) If Γ ` P. /0 and P−→ P′, then Γ ` P′ . /0.

In the above theorem, P is a process reduced from a program (hence ∆ is /0). A standardcorollary of type preservation is error freedom. An error state is reached when a processperforms an action at a time that violates the constraints prescribed by its type. To for-mulate this property, we extend the syntax of processes as follows: selection and branch-ing are annotated with clock constraints and reset predicates (i.e., c[p] / l〈e〉{δ,λ};Pand c[p].{li(zi){δi,λi}.Pi}i∈I); two new processes, error and clock process (s[p],ν),are introduced. Process error denotes a state in which a violation has occurred, and(s[p],ν) associates a clock assignment ν to ongoing session s[p]. The reduction rules forprocesses are extended as shown in Figure 4: bLINKc introduces a clock process (s[i],ν0)with initial assignment for each participant i in the new session; bDELAYc increments allclock assignments, bSELc checks the clock constraints against clock assignments andappropriately resets (the rule for branching is extended similarly); bESELc is an addi-tional rule which moves to error when a process tries to perform a send action at atime that does not satisfy the constraint (a similar rule is added for violating receiveactions). Note that bSELc only resets the clocks associated to participant p in session sand never affects clocks of other participants and sessions. The proof rules are adaptedstraightforwardly, with error not validated against any ∆.

Theorem 4.4 (Time-error freedom) If Γ ` P.∆, and P→∗ P′ then P′ 6≡ error.

5 Time-progress of timed processes and CTAsThis section studies a subclass of timed global types characterised by two properties,feasibility and wait-freedom and states their decidability; it then shows that these aresufficient conditions for progress of validated processes and CTAs.

Feasibility. A TG G is feasible iff (ν0,G0) −→∗ (ν,G) implies (ν,G) −→∗ (ν′,end)for some ν′. Intuitively, G0 is feasible if every partial execution can be extended toa terminated session. Not all TGs are feasible. The specified protocol may get stuckbecause a constraint is unsatisfiable, for example it is false, or the restrictions posedby previously occurred constraints are too strong. In Figure 5: in (1) if p sends 〈int〉 attime 5, which satisfies xp > 3, then there exists no xq satisfying xq = 4 (considering thatxq must be greater than or equal to 5 to respect the global flowing of time); (2) amends

10

1. p→ q : 〈int〉{xp > 3, ,xq = 4, }2. p→ q : 〈int〉{xp > 3∧ xp ≤ 4, ,xq = 4, } 3. p→ q : 〈int〉{xp > 3, ,xq ≥ 4, }4. q→ r : {l1 : {xq > 3, ,true, }, l2 : {xq < 3, ,true, }}5. µt.p→ q : 〈int〉{xp < 1,xp,xq = 2,xq}.p→ r : 〈int〉{xp < 5, ,true,xr}.t6. µt.p→ q : 〈int〉{xp < 1,xp,xq = 2,xq}.p→ r : 〈int〉{xp < 1, ,true,xr}.t

Fig. 5. Examples of non-feasible (1,5) and feasible (2,3,4,6) global types

(1) by restricting the earlier constraint; (3) amends (1) by relaxing the unsatisfiableconstraint. In branching and selection at least one constraint associated to the branchesmust be satisfiable, e.g., we accept (4). In recursive TGs, a constraint may becomeunsatisfiable by the restrictions posed by constraints that occur after, syntactically, inthe same recursion body. In the second iteration of (5) xq = 2 is made unsatisfiableby the restriction xp < 5 form the first iteration (e.g., p may send q the message whenxq > 2); in (6) this problem is solved by restricting the second constraint on xp.

Wait-freedom. In distributed implementations, a party can send a message at any timesatisfying the constraint. Another party can choose to execute the corresponding receiveaction at any specific time satisfying the constraint without knowing when the messagehas been or will be sent. If the constraints in a TG allow a receive action before thecorresponding send, a complete correct execution of the protocol may not be possibleat run-time (as we will illustrate later with an example). We introduce a condition onTGs called wait-freedom, ensuring that in all the distributed implementations of a TG,a receiver checking the queue at any prescribed time never has to wait for a message.

Formally (and using ⊃ for logic implication): G0 is wait-free iff (ν0,G0) −→∗pq!l〈S〉−−−−→

(ν,G) and p q : l〈S〉{δO,λO,δI,λI}.G′ ∈ G imply δI ⊃ ν(x)≤ x for all x ∈ fn(δI).We show below a process P | Q whose correct execution cannot complete despite

P | Q is the well-typed implementation of a feasible (but not wait-free) TG.

G = p→ q : 〈int〉{xp < 3∨ xp > 3, ,xq < 3∨ xq > 3, }.q→ p : {l1 : {xq > 3, ,xp > 3, }, l2 : {xq < 3, ,xp < 3, }}

G ↓p = q⊕〈int〉{xp < 3∨ xp > 3, }.q&{l1 : {xp > 3, }, l2 : {xp < 3, }}G ↓q = p&〈int〉{xq < 3∨ xq > 3, }.p⊕{l1 : {xq > 3, }, l2 : {xq < 3, }}P = delay(6).s[p][q]/ 〈10〉;s[q][p].{l1.0, l2.0} Q = s[p][q]. (x).s[q][p]/ l2〈〉;0

P implements G ↓p: it waits 6 units of time, then sends q a message and waits for thereply. Q implements G ↓q: it receives a message from p and then selects label l2; bothinteractions occur at time 0 which satisfies the clock constraints of G ↓q. By Theo-rem 4.4, since /0 ` P |Q. s[p] : (ν0,G ↓p),s[q] : (ν0,G ↓q), no violating interactions willoccur in P | Q. However P | Q cannot make any step and the session it stuck. This sce-nario, unlike errors in § 4 representing violations, models the fact that a non wait-freespecification allows participants to have incompatible views of the timings of action.

Decidability. If G is infinitely satisfiable (as also assumed by the typing in § 4), thenthere exists a terminating algorithm for checking that it is feasible and wait-free. Thealgorithm is based on a direct acyclic graph annotated with clock constraints and resetpredicates, and whose edges model the causal dependencies between actions in (theone-time unfolding of) G. The algorithm yields Proposition 5.1.

11

Proposition 5.1 (Decidability) Feasibility and wait-freedom of infinitely satisfiable TGsare decidable.

Time-progress for processes. We study the conditions under which a validated pro-gram P is guaranteed to proceed until the completion of all activities of the protocolsit implements, assuming progress of its untimed counterpart (i.e., erase(P)). The era-sure erase(P) of a timed processes P is defined inductively by removing the delays inP (i.e., erase(delay(t).P′) = erase(P′)), while leaving unchanged the untimed parts(e.g., erase(u[n](y).P′) = u[n](y).erase(P′)); the other rules are homomorphic.

Proposition 5.2 (Conformance) If P−→ P′, then erase(P)−→∗ erase(P′).

Processes implementing multiple sessions may get stuck because of a bad timing oftheir attempts to initiate new sessions. Consider P = delay(5).a[2](v).P1 | a[2](y).P2;erase(P) can immediately start the session, whereas P is stuck. Namely, the delay of5 time units introduces a deadlock in a process that would otherwise progress. Thisscenario is ruled out by requiring processes to only initiate sessions before any delayoccurs, namely we assume processes to be session delay. All examples we have exam-ined in practice (e.g., OOI use cases [17]) conform session delay.

Definition 5.3 (Session delay) P is session delay if for each process occurring in P ofthe form delay(t).P′ (with t > 0), there are no session request and session accept in P′.

We show that feasibility and wait-freedom, by regulating the exchange of messageswithin established sessions, are sufficient conditions for progress of session delay pro-cesses. We say that P is a deadlock process if P−→∗ P′ where P′ 6−→ and P′ 6≡ 0, andthat Γ is feasible (resp. wait-free) if Γ(u) is feasible (resp. wait-free) for all u∈ dom(Γ).

Theorem 5.4 (Timed progress in interleaved sessions) Let Γ be a feasible and wait-free mapping, Γ ` P0 . /0, and P0 −→+ P. If P0 is session delay, erase(P) is not adeadlock process and if erase(P)−→ then P−→.

Several typing systems guarantee deadlock-freedom, e.g. [6]. We use one instance from[13] where a single session ensures deadlock-freedom. We characterise processes im-plementing single sessions, or simple, as follows: P is simple if P0 −→∗ P for someprogram P0 such that a : G ` P0 . /0, and P0 = a[n](y).P1 | ∏i∈{2,..,n} a[i](y).Pi whereP1, . . . ,Pn do not contain any name hiding, request/accept, and session receive/delegate.

Corollary 5.5 (Time progress in single sessions) Let G be feasible and wait-free, andP be a simple process with a : G ` P . /0. If erase(P) −→, then there exist P′ and P′′

such that erase(P)−→ P′, P−→+ P′′ and erase(P′′) = P′.

Progress for CTAs. Our TGs (§ 3) are a natural extension of global types with timednotions from CTAs. This paragraph clarifies the relationships between TGs and CTAs.We describe the exact subset of CTAs that corresponds to TGs. We also give the condi-tions for progress and liveness that characterise a new class of CTAs.

12

We first recall some definitions from [3, 14]. A timed automaton is a tuple A =(Q,q0,Act,X ,E,F) such that Q are the states, q0 ∈ Q is the initial state, Act is the al-phabet, X are the clocks, and E ⊆ (Q×Q×Act×2X×Φ(X)) are the transitions, where2X are the reset predicates, Φ(X) the clock constraints, and F the final states. A networkof CTAs is a tuple C =(A1, . . . ,An,

#»w) where #»w = {wi j}i6= j∈{1,..,n} are unidirectional un-bounded channels. The LTS for CTAs is defined on states s = ((q1,ν1), . . . ,(qn,νn),

#»w)and labels L and is similar to the semantics of configurations except that each Ai canmake a time step even if it violates a constraint. For instance, assume that A1 can onlyperform transition (q1,q′1, i j!l〈S〉, /0,xi ≤ 10) from a non-final state q1, and that ν1 = 10,then the semantics in [14] would allow a time transition with label 10. However, aftersuch transition A1 would be stuck in a non-final state and the corresponding trace wouldnot be accepted by the semantics of [14].

In order to establish a natural correspondence between TGs and CTAs we introducean additional condition on the semantics of C , similar to the constraint on ready actionsin the LTS for TG (rule bTIMEc in § 3). We say that a time transition with label t is spec-ified if ∀i ∈ {1, ..,n}, νi + t |=∗ rdy(qi) where rdy(qi) is the set {δ j} j∈J of constraintsof the outgoing actions from qi. We say that a semantics is specified if it only allowsspecified time transitions. With a specified semantics, A1 from the example above couldnot make any time transition before action i j!l〈S〉 occurs.

The correspondence between TGs and CTAs is given as a sound and complete en-coding. The encoding from T into A , denoted by A(T ), follows exactly the definitionin [11, § 2], but adds clock constraints and reset predicates to the corresponding edges,and sets the final states to {end}. The encoding of a set of TLs {Ti}i∈I into a networkof CTAs, written A({Ti}i∈I), is the tuple (A(T1), . . . ,A(Tn),

#»ε ). Let G have projections

{Ti}i∈I , we write A(G) for as (A(T1), . . . ,A(Tn),#»ε ).

Before stating soundness and completeness, we recall and adapt (to the timed set-ting), two conditions from [11]: the basic property (timed automata have the same shapeas TLs) and multiparty compatibility (timed automata perform the same actions as a setof projected TG). A state s is stable when all its channels are empty. More precisely: C isbasic when all its timed automata are deterministic, and the outgoing actions from each(qi,Ci) are all sending or all receiving actions, and all to/from the same co-party. C ismultiparty compatible when in all its reachable stable states, all possible (input/output)action of each timed automaton can be matched with a corresponding complementary(output/input) actions of the rest of the system after some 1-bounded executions (i.e.,executions where the size of each buffer contains at most 1 message).1

A session CTA is a basic and multiparty compatible CTA with specified semantics.

Theorem 5.6 (Soundness and completeness) (1) Let G be a (projectable) TG thenA(G) is basic and multiparty compatible. Furthermore with a specified semantics G≈A(G). (2) If C is a session CTA then there exists G such that C ≈ A(G).

1 Note that: (1) multiparty compatibility allows scenarios with unbounded channels e.g., the channel fromp to q in µt.p→ q : l〈S〉{A}.t, and (2) considering 1-bounded executions (for a simpler theory) preservesgenerality due to a property called stability in [11] and directly applicable to our scenario. By stability, ifC is basic and multiparty compatible, then for all its reachable states s there exists an execution s−→∗ s′

from s to a stable state s′, and there exists a 1-bounded execution s0 −→∗ s′ from the initial state s0 of C tos′. Namely, after an appropriate execution any reachable state can be reached by a 1-bounded execution.

13

Our characterisation does not directly yields transparency of properties, differentlyfrom the untimed setting [11] and similarly to timed processes (§ 4). In fact, a sessionCTA itself does not satisfy progress. In the following we give the conditions that guar-antee progress and liveness of CTAs. Let s = ((q1,ν1), . . . ,(qn,νn),

#»w) be a reachablestate of C : s is a deadlock state if (i) #»w = #»

ε , (ii) for all i ∈ {1, . . . ,n}, (qi,νi) doesnot have outgoing send actions, and (iii) for some i ∈ {1, . . . ,n}, (qi,νi) has incomingreceiving action; s satisfies progress if for all s′ reachable from s: (1) s′ is not a deadlockstate, and (2) ∀t ∈ N, ((q1,ν1 + t), . . . ,(qn,νn + t), #»w) is reachable from s in C . We sayC satisfies liveness if for every reachable state s in C , s−→∗ s′ with s′ final.

Progress entails deadlock freedom (1) and, in addition, requires (2) that it is alwayspossible to let time to diverge; namely the only possible way forward cannot be byactions occurring at increasingly short intervals of time (i.e., Zeno runs).2

We write TR(C ) for the set of visible traces that can be obtained by reducing C . Weextend to CTAs the trace equivalence ≈ defined in § 3.

Theorem 5.7 (Progress and liveness for CTAs) If C is a session CTA and there existsa feasible G s.t. C ≈ A(G), then C satisfies progress and liveness.

6 Conclusion and related work

This work designs a choreographic timed specification based on the semantics of CTAsand MPSTs, and attests its theory in the π-calculus. The table below recalls the resultsfor the untimed setting we build upon (first row), and summarises the results in thiswork: a decidable proof system for π-calculus processes ensuring time-error freedomand a sound and complete characterisation of CTAs (second row), and two conditions,with decidable algorithms, ensuring progress of processes (third row). These conditionsalso characterise a new class of CTAs, without restrictions on the topologies, that satisfyprogress and liveness. We have verified the practicability of our approach in an imple-mentation of a timed conversation API for Python. The prototype [1] is currently beingintegrated into the OOI infrastructure [17].

TGs π-calculus session CTAsuntimed type safety, error-freedom, Sound, complete characterisation,

progress [13] progress [11]timed type safety (Thm 4.3) Sound, complete characterisation,

error-freedom (Thm 4.4) (Thm 5.6)feasible, wait-free progress (Thm 5.4, Thm 5.5) progress (Thm 5.7)

Literature on MPSTs. The extension of the semantics of types with time is delicate asit may introduce unwanted executions (as discussed in § 3). To capture only the correctexecutions (corresponding to accepted traces in timed automata) we have introduced anew condition on time reductions of TGs and TLs: satisfiability of ready actions (e.g.,bTIMEc in Figure 1). Our main challenge was extending the progress properties of un-timed types [6] and CAs [11] to timed interactions. We introduced two additional neces-sary conditions for the timed setting, feasibility and wait-freedom, whose decidability

2 The time divergence condition is common in timed setting and is called time-progress in [3].

14

is non trivial, and their application to time-progress is new. The theory of assertion-enhanced MPSTs [7] (which do not include progress) could not be applied to the timedscenario due to resets and the need to ensure consistency w.r.t. absolute time flowing.Reachability and verification. In our work, if a CTA derives from a feasible TG thenerror and deadlock states will not be reached. Decidability of reachability for CTAs hasbeen proven for specific topologies: those of the form (A1,A2,w1,2) [14] and poly-forests [10]. A related approach [2] extends MSCs with timed events and provides veri-fication method that is decidable when the topology is a single strongly connected com-ponent, which ensures that channels have an upper bound. Our results do not depend onthe topology nor require a limitation of the buffer size (e.g., the example in § ?? is nota polyforest and the buffer of A is unlimited). On the other hand, our approach relies onthe additional restrictions induced by the conversation structure of TGs.Feasibility. Feasibility was introduced in a different context (i.e., defining a not toostringent notion of fairness) in [4]. This paper gives a concrete definition in the contextof real-time interactions, and states its decidability for infinitely satisfiable TGs. [21]gives an algorithm to check deadlock freedom for timed automata. The algorithm, basedon syntactic conditions on the states relying on invariant annotations, is not directlyapplicable to check feasibility e.g., on the timed automaton derived from a TG.Calculi with time. Recent work proposes calculi with time, for example: [18] includestime constraints inspired by timed automata into the π-calculus, [5, 16] add timeouts,[12] analyses the active times of processes, and [15] for service-oriented systems. Theaim of our work is different from the work above: we use timed specifications as typesto check time properties of the interactions, rather than enriching the π-calculus syntaxwith time primitives and reason on examples using timed LTS (or check channels lin-earity as [5]). Our aim is to define a static checker for time-error freedom and progresson the basis of a semantics guided by timed automata. With this respect, our calculus isa small syntactic extension from the π-calculus and is simpler than the above calculi.

References1. Timed conversation API for Python. www.doc.ic.ac.uk/˜lbocchi/TimeApp.html.2. S. Akshay, P. Gastin, M. Mukund, and K. N. Kumar. Model checking time-constrained

scenario-based specifications. In FSTTCS, volume 8 of LIPIcs, pages 204–215, 2010.3. R. Alur and D. L. Dill. A theory of timed automata. TCS, 126:183–235, 1994.4. K. R. Apt, N. Francez, and S. Katz. Appraising fairness in distributed languages. In POPL,

pages 189–198. ACM, 1987.5. M. Berger and N. Yoshida. Timed, distributed, probabilistic, typed processes. In APLAS,

volume 4807 of LNCS, pages 158–174. 2007.6. L. Bettini et al. Global progress in dynamically interleaved multiparty sessions. In CONCUR,

volume 5201 of LNCS, pages 418–433, 2008.7. L. Bocchi, K. Honda, E. Tuosto, and N. Yoshida. A theory of design-by-contract for dis-

tributed multiparty interactions. In CONCUR, volume 6269 of LNCS, pages 162–176, 2010.8. D. Brand and P. Zafiropulo. On communicating finite-state machines. J. ACM, 30:323–342,

1983.9. G. Castagna, M. Dezani-Ciancaglini, and L. Padovani. On global types and multi-party

session. Logical Methods in Computer Science, 8(1), 2012.10. L. Clemente, F. Herbreteau, A. Stainer, and G. Sutre. Reachability of communicating timed

processes. In FOSSACS, volume 7794 of LNCS, pages 81–96. Springer, 2013.

15

11. P.-M. Denielou and N. Yoshida. Multiparty compatibility in communicating automata: Char-acterisation and synthesis of global session types. In ICALP, volume 7966 of LNCS, pages174–186, 2013.

12. M. Fischer et al. A new time extension to π-calculus based on time consuming transitionsemantics. In Languages for System Specification, pages 271–283. 2004.

13. K. Honda, N. Yoshida, and M. Carbone. Multiparty Asynchronous Session Types. In POPL,pages 273–284. ACM, 2008.

14. P. Krcal and W. Yi. Communicating timed automata: The more synchronous, the more diffi-cult to verify. In CAV, volume 4144 of LNCS, pages 243–257, 2006.

15. A. Lapadula, R. Pugliese, and F. Tiezzi. Cows: A timed service-oriented calculus. In ICTAC,volume 4711 of LNCS, pages 275–290, 2007.

16. H. A. Lopez and J. A. Perez. Time and exceptional behavior in multiparty structured inter-actions. In WS-FM, volume 7176 of LNCS, pages 48–63. 2012.

17. Ocean Observatories Initiative (OOI). http://oceanobservatories.org/.18. N. Saeedloei and G. Gupta. Timed π-calculus. In TGC, LNCS, 2013. to appear.19. Savara JBoss Project. http://www.jboss.org/savara.20. Scribble Project homepage. www.scribble.org.21. S. Tripakis. Verifying progress in timed systems. In Formal Methods for Real-Time and

Probabilistic Systems, volume 1601 of LNCS, pages 299–314. 1999.

16